Cisco Support Community
Community Member

IPsec on hosts behind load balancing NAT


I have a problem configuring IPsec tunnel between two sites, with one is using NAT for load balancing of TCP Traffic. I've been working on this for hours but i foung myself in a dead end.

I have one router using NAT TCP load balancing of telnet traffic(in real deployment i need ftp load balancing, i am using telnet for testing purposes). This router is connected to another router, where multiple hosts are connected. I need to protect the traffic from those hosts to the server that is load balanced using NAT.

So far i was no able to configure IPSec to work properly with this setup. I have working configuration with IPSec encrypting some traffic not destinated behind NAT, but once I add a line in the traffic specifying access lists on both sides the IPSec stops working(and it wont work from any site of the connection, from behind the NAT or destinated behind the NAT). The access list on the router performing NAT is configured to allow any traffic destinated to some specific addresses and the access list on the router with connected hosts specifies that any connection destinated to the global address, where the server are reachable, should be encrypted.

On the side where the traffic comes from i allways see a debug output like this:

ar  1 05:23:54.294: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local=, remote=,

    local_proxy= (type=1),

    remote_proxy= (type=1),

    protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0xA42ED8F1(2754533617), conn_id= 0, keysize= 0, flags= 0x400A is my global address for the FTP server

on the side where the encryption should be terminated i allways see an output like this:

*Mar  1 05:23:54.130: map_db_find_best did not find matching map

*Mar  1 05:23:54.130: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address

But i can see that there is a crypto map for address

RA#sh cryp map

Crypto Map: "TCP_ENCRYPTION" idb: Serial0/0 local address:

I tried to use some of the NAT traversal techniques for IPSec but without any success.

If you have any idea what could be the problem or if you need any additional information or debugging output i will be glad for any help.

Thanks, Adrian

CreatePlease to create content